I have an Azure storage account with SFTP enabled. I have multiple containers with one user for each container with permissions to only that container. I would like to also have a user with access to all containers. I know it is possible to do so in the Azure portal. I, however, need to be able to do it from PowerShell. I see two possible options: Either by having a permission scope that simply gives the user permissions to everything including new containers when they are added or by adding to the existing permissions when a new container is added.
I have tried using the New-AzStorageLocalUserPermissionScope function from the Az module. With this function, though, I can (AFAIK) only specify one container to give permissions to. If update a user with a new permission scope with the Set-AzStorageLocalUser function it overwrites the existing permission.
I was able to create a solution by appending permission scopes as suggested by Jahnavi.
Creating and appending the permission scopes one by one every time I update the user is not a possibility, though, as I will only have the information on the container that should be added to the permissions. My solution is to save the permission scope as a JSON-file. Every time I need to add a permission I do the following:
Here is the code I use:
# Read permissions from JSON
$CurrentPermissions = Get-Content -Path permissions.json | ConvertFrom-Json
# Permission scope for new container
$ContainerPermission = New-AzStorageLocalUserPermissionScope -Permission rwdlc -Service blob -ResourceName "mycontainer"
# Conbine permissions
$NewPermissions = $CurrentPermissions + $ContainerPermission
# Assign new permissions to user
$LocalUser = Set-AzStorageLocalUser -ResourceGroupName "MyResourceGroup" -StorageAccountName "mystorageaccount" -UserName "myuser" -PermissionScope $NewPermissions
# Write new permissions to json file
$NewPermissions | ConvertTo-Json | Out-File "permissions.json"